From 9a2e59272dd138e5aece3ef5fbbcbac6ebadd23b Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Mon, 27 Jun 2022 15:36:09 +0200 Subject: compiler: fix stack mismatch on nonmatching switch statements with locals When a switch statement containing cases with local variable declarations and no default case is evalulated and none of the the cases matched, the local variable slots were never initialized but got popped off the stack when execution resumed after the switch scope, leading to a mismatch in stack layout between compiler and runtime, causing local variables to yield wrong values or a stack underflow triggering a segmentation fault. Solve this issue by patching the last conditional case match jump to hop beyond the local variable pop instructions when no default case is defined. Also extend the regression test case dealing with other switch related stack mismatch issues to cover this particular problem as well. Signed-off-by: Jo-Philipp Wich --- compiler.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'compiler.c') diff --git a/compiler.c b/compiler.c index e5a294a..7a533f5 100644 --- a/compiler.c +++ b/compiler.c @@ -2475,7 +2475,7 @@ out: static void uc_compiler_compile_switch(uc_compiler_t *compiler) { - size_t i, test_jmp, skip_jmp, next_jmp, value_slot, default_off = 0; + size_t i, test_jmp, skip_jmp, next_jmp = 0, value_slot, default_off = 0; uc_chunk_t *chunk = uc_compiler_current_chunk(compiler); uc_patchlist_t p = { .depth = compiler->scope_depth }; uc_locals_t *locals = &compiler->locals; @@ -2628,6 +2628,10 @@ uc_compiler_compile_switch(uc_compiler_t *compiler) /* jump to target */ uc_compiler_emit_jmp_dest(compiler, 0, cases.entries[default_off + 2]); + + /* do not patch final match failure jump later, we handle it here + * in the default case */ + next_jmp = 0; } uc_compiler_set_jmpaddr(compiler, skip_jmp, chunk->count); @@ -2640,6 +2644,16 @@ uc_compiler_compile_switch(uc_compiler_t *compiler) uc_compiler_leave_scope(compiler); + /* if no default case exists, patch last case match failure jump */ + if (next_jmp) { + /* There's pop instructions for all local variables including the + * switch test value itself on the stack. Jump onto the last POP + * instruction (-1) to get rid of the on-stack switch test value + * but skip the POP instructions for all other scoped local variables + * which never have been initialized. */ + uc_compiler_set_jmpaddr(compiler, next_jmp, chunk->count - 1); + } + uc_compiler_backpatch(compiler, chunk->count, 0); } -- cgit v1.2.3